Routing

Expand all | Collapse all

Routing t0/from Multipoint to a point-to-point vpn SRX210BE

Jump to Best Answer
  • 1.  Routing t0/from Multipoint to a point-to-point vpn SRX210BE

    Posted 09-25-2018 14:18

    I have an SRX210BE-1MB latest JUnOS. 

     

    There is a Hub-Spoke Vpn setup and can route traffic between spokes and hub(Srx trust zone).

     

    There is a seperate VPN is point-to-point to a SonicWall firewall in it's own zone.

     

    I can't seem to route traffic between multipoint tunnel st0.6 (hub/spoke VPN) to point-to-point tunnel st0.1 (SonicWall VPN).

     

    I've tried with polices including intra-zone  to turn on internal policy routing (ex.  zone Sonic to zone Sonic).

     

    Any helpful suggestions how to route any or all spokes (hub/spoke vpn) to another vpn that is (point-to-point)?

     

    Zone VPN-MULTIHOME  to  Zone VPN-SONICWALL.

     

    Thank you!

     

     

     



  • 2.  RE: Routing t0/from Multipoint to a point-to-point vpn SRX210BE

    Posted 09-25-2018 20:02

    Mr Do,

     

      Im not sure if SRX can work with sonicwall for hub and spoke. (If my understanding is correct based on your post).

     

    In my opinion, you do normal srx policy based vpn with proxy-ids that matches your sonicwall subnet for the vpn tunnel .

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB29364&actp=METADATA

     

    hope this helps...



  • 3.  RE: Routing t0/from Multipoint to a point-to-point vpn SRX210BE

    Posted 09-26-2018 14:01

    The hub-spoke setup on srx is only with remote firewalls that are Juniper/Netscreen based. (SSG5, Netscreen 5GT)  I'm able to route traffice just fine on the setup.

     

    The point-to-point setup with a SonicWall is  a seperate configuration on same srx and works fine.  The sonic wall has my subnets from spokes and srx trust zone.  I can only ping sonicwall subnet from my trust zone and not from spokes.

     

    I don't know or can figure out how to route from a spoke tunnel to active vpn to SonicWall.  I'm sure it's something so simple, I'm overlooking it....

     

     



  • 4.  RE: Routing t0/from Multipoint to a point-to-point vpn SRX210BE

    Posted 09-26-2018 15:17

    Thanks for the article. It does point out only ONE proxy id on route based vpn. Guess I'll need to look into changing to policy based to get multiple proxy-ids (spokes) through that sonicwall vpn.

     

    Again, thanks!



  • 5.  RE: Routing t0/from Multipoint to a point-to-point vpn SRX210BE
    Best Answer

     
    Posted 09-26-2018 15:21

    Right, proxy id only supports one pair in a configuration.

     

    You can use traffic selectors with route based vpn to add multiple subnets on the vpn.  Naturally the sonicwall side also has to have the same pairs of networks setup as well.

     

    https://www.juniper.net/documentation/en_US/junos/topics/example/ipsec-vpn-traffic-selector-configuring.html

     



  • 6.  RE: Routing t0/from Multipoint to a point-to-point vpn SRX210BE

    Posted 09-26-2018 17:11

    Thanks to everyone who replied!

     

    Learned new feature in JUNOS today:  traffic-selector

     

    Now I can route from my Hub-Spoke vpn to point-to-point vpn.  Spokes are happy!

     

    Cheers!

     

     



  • 7.  RE: Routing t0/from Multipoint to a point-to-point vpn SRX210BE

     
    Posted 09-26-2018 02:42

    The SRX has open proxy id by default so that any ip address can be encrypted and sent in the tunnel.  This is not supported on Sonicwall.  So you will have your pairs of allowed traffic setup on that tunnel via proxy id or tunnel selectors.

     

    This means that only the local address subnets on those lists will be allowed to enter the sonicwall tunnel. So likely your remote spoke sites are not on this list.

     

    You can ask that the sonicwall tunnel be expanded to include all the subnets that you want to include as traffic.  But if you have a very large number of sites there is likely a limit to the number that can be put there.

     

    The other option is to source nat the spoke site address to a local address on the SRX that is allowed in the sonicwall tunnel.  Then the traffic can go into the tunnel and be returned.

     

    However, this will only work for traffic that is geneated by spokes into the sonicwall tunnel.  The remote sonicwall devices will not be able to initiate the session.

     



  • 8.  RE: Routing t0/from Multipoint to a point-to-point vpn SRX210BE

    Posted 09-26-2018 14:48

    Thank you, Steve. 

     

    I did notice I had the local subnet on srx as a local proxy id on the vpn.  I changed it to one of the spoke subnets and I can ping to SonicWall.

     

    So far working as expected.  Now I just need to include all spokes (5 of them) in 10.10.X.X in local proxy id.

     

    Not sure how to add multiple local proxy id's for this VPN.  I tried with 10.10.0.0/16.   Can I add multiple local and remote proxy-ids on this vpn?

     

    vpn srx-to-sonic

       bind interface st0.4

       ike {

                 gateway sonicexpress

                 proxy-idenitity {

                            local 192.168.90.0/24     ---> this is local subnet on srx trust. Spokes are 10.10.76.0, 10.10.77.0...)

                            remote 192.168.14.0/24

                            service any

                          }

                 ipsec-policy  P2Sonicpolicy

     establish-tunnels immediately;